A pair of cyberfraud scams were uncovered using social-engineering tactics to trick victims into handing over sensitive data under the guise of an investment plan.Known as “Reckless Rabbit” and “Ruthless Rabbit,” the campaigns offer users the lure of lucrative financial rewards in exchange for handing over their personal information and performing money transfers on behalf of the threat actors.(For Complete Live RSAC 2025 Coverage by SC Media Visit SCWorld.com/RSAC)Researchers with security vendor Infoblox told SC Media that the attackers are particularly devious in their use of Traffic Distribution Systems (TDS) to manage the traffic from potential victims.Typically, the scam is launched when the user visits a social media post, often from a faked celebrity account. The posts direct the user to a phone investment site that uses a clever bit of traffic validation to filter out the high-value targets from those in countries possessing less wealth.Should the user’s IP address, phone number and address be deemed worthy of exploitation, the attack will proceed as the target will be scammed into sending the threat actors money via an account transfer. Those of lesser means will instead be redirected to a landing page.In addition to filtering potential marks by their geographic location, the TDS tools are set up to scan for potential bot traffic and honeypots set up by security vendors to catch cybercrime threat actors.“In many campaigns, if a user passes the validation, a TDS routes them either directly to the investment scam platform where they are encouraged to transfer money, or to a page that thanks them for registering and says a representative will contact them with additional information,” Infoblox explained.“Some campaigns use call centers to provide the victims with instructions on how to set up an account and transfer money into the fake investment platform.”Infoblox said that at least one of the cybercrime operations, Ruthless Rabbit, can be directly traced back to addresses within Russia. The scam also appears to be largely focused on systems in Eastern Europe.Additionally, it has been found that the scams use the automated registration of new domains as well as a DNS redirection system and second level domain (SLD) setups to confuse potential threat hunters who might be tracking the scam.“This makes it difficult to determine which subdomains are actively being used by an actor, and which subdomains are random queries triggered by, for example, security researchers,” the Infoblox team explained.“In this case, security tools may not add the SLD to their feeds and instead only add the subdomains that were confirmed to contain malicious content, thereby helping the actor to use their domains longer.”The researchers noted that such scams are particularly nefarious not only because of their ability to use social engineering and the promise of a quick payoff to lure in victims, but because their evasion techniques are particularly hard for defenders to detect and counter in the wild.“Threat actors like Reckless and Ruthless Rabbits will be relentless in their attempts to trick as many users as possible,” the Infoblox researchers said.“Because these types of scams have proven to be highly profitable for them, they will continue to grow rapidly — both in number and sophistication.”(For Complete Live RSAC 2025 Coverage by SC Media Visit SCWorld.com/RSAC)
